Attacks on Smart Cards

Michael Tunstall

[email protected]

Bull CP8 Patents

Outline
Smart Cards: What and Why Attacks on cards
! Physical ! Timing, spa, dpa, dfa

Attacks on systems using Smart Cards Examples

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

What is a Smart Card

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Chip Structure

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Why Use Smart Cards?

Tamper resistance ! Storage Tamper resistance ! Processing

[Blah Blah]

[@^#~r&]
Portability Ease of use Onboard key generation Cost

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Outline
Smart Cards: What and Why Attacks on cards
! Physical ! Timing, spa, dpa, dfa

Attacks on systems using smart cards Examples

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Classes of Attacks
Physical Side-channel Software Environment

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Power Outage
Attack on VPP Using nail polish Card not debited

Vcc Reset Clock

Ground Vpp I/O

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Probe Stations, F.I.B.

If you have more money or if you are a student.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Chip Re-Wiring

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Addition of a Track

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Cutting of a Track

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Countermeasures
Metal layers Bus scrambling Onboard sensors

! Temperature, light, frequency ! Integrity :

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Chip Structure

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Physical Attacks Summary

Difficult to defeat completely Expensive Destructive Target dependant Time consuming

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Classes of Attacks
Physical Side-channel Software Environment

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Side Channel Attacks

Exploit information on secret data leaked byt the card.
! Time (Timing Attacks) ! Power (SPA, DPA) ! Radiation (Electromagnetic SPA/DPA)

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Timing Attacks
You put $28 in one of the pots and $10 in the other:

$10 $28
Question: Compute ! Blue * 10 + Red *7 ! Tell me if the result is odd or even.

$28 $10

Is your answer enough to reveal whats in each pot?

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Timing Attacks
Well, normally not : 28 7 + 10 * 10 = 296 and 10 * 7 + 28 * 10 = 350 is also even is an even number

However, just by monitoring the time it takes to give the answer one can tell where each amount is!

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Timing Attack on a Smart Card

Start

Decision

t +t

Process 1

Process 2

end

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Power Attacks
Measure the circuit's processing time and current consumption to infer what is going on inside it.

input

output

Presentation title here - Security level

Power Attacks
Seattle, 1999. US and French delegates negotiate under which conditions beef could be imported to France. The Sun sends a journalist to investigate:

Presentation title here - Security level

Power Attacks
But there is a technical problem: negotiations take place in a hotel which windows are opaque.

Presentation title here - Security level

Power Attacks
Idea: look at the hotels electricity meter!

Presentation title here - Security level

Power Attacks
Disk is spinning slowly:

DEAL CONCLUDED
+

Presentation title here - Security level

Power Attacks
But if the disk is spinning quickly:
THE SUN
A London homeless eaten by giant rat!

NEGOTIATORS BREAK !

Experts say : sterility is hereditary !

Presentation title here - Security level

SPA attack on RSA

SPA against RSA private exponentiation s = md mod n
! n large modulus, say 1024 bits ! m message ! s signature ! d private exponent

The attacker aims at retrieving d

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

SPA attack on RSA

Implementation (assumed known hereafter)
! basic square and multiply algorithm ! exponent bits scanned from MSB to LSB (left to right)

Let k = b ts of d i ize Let s = m For i = k-2 down to 0 Le s = s*s mod n (SQ U A R E) t I (bti o d i 1 then f i f )s Le s = s*m mod n ( ULTIPLY) t M End i f End fo r
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Example : init (MSB 1)

s = m9 = m1001b s=m

round 2 (bit 0) s = m2 round 1 (bit 0) s = (m2 )2 = m4 round 0 (bit 1) s = (m4 )2 * m = m9

SPA attack on RSA

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

SPA attack on RSA

Test key value : 0F 00 F0 00 FF 00

SMSMSM SSSS SSSS

SMSMSMSMSSS S SSSS SSSS

SMSMSMSMSMSMSMSM SSSS SSSS

1 1 1 1

1 1 1 1 0000 0000 0000

1 1 1 1 1 1 1 1 0000 0000

0F

F0

FF

0000 0000

00

00

00

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

SPA attack on RSA

2 E C 6 9 1 5 B F 9 4 A 0010 1 1 10 1 100 0 1 10 100 1 000 1 0 10 1 10 1 1 1 1 1 1 100 1 0 100 10 10

Key value : 2E C6 91 5B F9 4A

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Randomising RSA
RSA signature:

Presentation title here - Security level

Summary on SPA
SPA uses implementation related patterns SPA strategy ! algorithm knowledge ! reverse engineering phase (signature location) ! representation tuning (height of view, zoom, visualisation) ! playing with implementation assumptions... SPA is always specific due to ! the algorithm implementation ! the applicative constraints ! the chips technology (electrical properties) ! possible counter-measures...

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA
Based on SPA Adding the power of statistics to separate signal from noise

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Hypothesis
Play the algorithm N times (100 < N < 100000) Input data (messages Mi)

Algorithm

Output (cipher texts Ci) Power Consumption Curves Wi

(or other side channel leakage like EM radiation)

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Acquisition procedure
After data collection, what is available ? ! N plain and/or cipher random texts
00 01 02 B688EE57BB63E03E 185D04D77509F36F C031A0392DC881E6

! N corresponding power consumption waveforms

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Selection & Prediction

Assume the data are processed by a known deterministic function f (transfer, permutation...) Knowing the data, one can re-compute off line its image through f

Mi

Mi = f [Mi]

Now select a single bit among M bits (in M buffer) One can predict the true story of its variations
i 0 1 2 Message B688EE57BB63E03E 185D04D77509F36F C031A0392DC881E6 bit 1 0 1 .

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Operator
Partition the data and related curves into two packs, according to the selection bit value...

Mi

bit (Mi) = 0 bit (Mi) = 1

1 0 1 +1 -1 +1

and assign -1 to pack 0 and +1 to pack 1

0 1 2 B688EE57BB63E03E 185D04D77509F36F C031A0392DC881E6

Sum the signed consumption curves and normalise <=> Difference of averages (N0 + N1 = N) W1 W0 DPA = N1 N0

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Curve Construction

DPA curve
0 Selection bit
N

W
0

1 C031A0... 185D04D... M B688EE... N M1 M

0

Average

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Curve Example

DPA curves for different selection bits

Max

Min

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Curve Example

Peaks are present when selection bits are handled
Max

Min

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA operator & curve

Spikes explanation : Hamming Weight of the bits byte
Selection bit

0 1 2 ...

01001011 01101010 11001000 ...

11001101 10110100 01011110 ... Average = E [HW1] = 1 + 3.5

Average = E [HW 0] = 0 + 3.5

= E [HW1] - E [HW0 ] = 1

Contrast (peak height) proportional to N1/2 (evaluation criterion) If prediction was wrong : selection bit would be random
E [HW0] = E [HW1] = 4 =>
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

=0

Reverse engineering using DPA

Use DPA to locate when predictable things occur Example : locate an algo trace by targeting its output (ciphertext transfer to RAM, ciphertext is given)
Consumption curve

Computation is before

DPA curves Bit of the 1st byte

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Bit of the last byte

Attacking a Secret Key Algorithm

DPA works thanks to the perfect prediction of the selection bit How to break a key ?

Key ? Messages Mi Cryptographic Algorithm Ciphertexts Ci

Power Consumption Curves Wi

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA: typical target

Basic mechanism in Secret Key algorithms (AES, DES)
Message byte M Key byte K SBox S Selection bits
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Exclusive OR

Non-linear substitution by table look-up : S = SB(K"M)

Attacking a Secret Key Agorithm

Try different keys a valid them with DPA Isnt it like cryptographic exhaustive search ? Not exactly because the research space is drastically reduced !

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Hypothesis Testing (guess)

Example : AES 128 bits key = 16 bytes Ki (i = 1 to 16) ! Test 256 guesses per Ki with 256 DPA ! 128 key bits disclosed with 16 x 256 = 4096 DPA ( << 2128 !)

Ki x

Selection bit A79C36... fdgcxv Mn B688EE... M M 1

0

W01

DPA Average

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Hypothesis Testing (guess)

DPA on AES : 1st round and 1st byte (right guess = 1)
Max

Guess 1

Guess 98 Guess 204

Min

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Hypothesis Testing (guess)

The right guess provides the highest spikes !

2n-1

1
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Hypothesis Testing (right guess)

Right guess
D=1 D=1

Exact prediction of the selection bit

0 1 B688EE57BB63E03E 185D04D77509F36F 1 0 1 1 0

Average 1

D=0

2 C031A0392DC881E6

1 D=0
Average 0

Real Predicted
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA peak

Average 1 - Average 0

Hypothesis Testing (wrong guess)

Wrong guess
D=1 D=1

Wrong prediction of the selection bit

0 1 B688EE57BB63E03E 185D04D77509F36F 1 0 1 0 1

Average 1

D=0

2 C031A0392DC881E6

1 D=0
Average 0

Real Predicted
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Average 1 - Average 0

No DPA peak

Hypothesis Testing (guess)

Wrong guesses may provide higher DPA peaks !

2 7

5 8

2n-1

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Hypothesis Testing
Typical difficulties
! low contrast between the guesses ! wrong guesses leading to higher peaks (false alarm) ! physical : lack of correlation between data & signals ! cryptographic : algorithmic noise (implementation model) ! try other selection bits (but they not necessarily agree !) ! complementary exhaustive search on gleaned information

Possible explanations Practical solutions

Right guess

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA on other algorithms

DES (64 - 8 = 56 key bits)
DES 1st round
M (message) IPerm L0 (32 bits) R0 (32 bits)

! historically the 1st target of DPA ! more complicated

! 8 x 64 = 512 guesses ! only 48 bits on 1st round ! 2nd round attack for the whole key ! possibility of last round DPA

several possible targets 8 Sboxes: 6 input bits, 4 output bits key schedule (subkeys)

EPerm
6 bits x 8

SubKEY1 Ki (6 bits) x 8
6 bits x 8

S-Box
4 bits x 8 (

a)

PPerm
4 bits x 8 4 bits x 8

4 bits x 8 (

g)

L1 (32 bits)

R1 (32 bits)

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA on other Algorithms

Other SK algorithms ! AES ! 3-DES ! Comp 128 ! Hash MAC ! modular arithmetic (modulo 256, 257) ! proprietary (GSM) RSA modular exponentiation ! No key schedule => prediction more difficult ! The key is not entirely handled from the beginning, but progressively introduced ! Prediction by time slices : next bit inference requires the previous bit to be broken

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Countermeasures
subKi x

Selection bit A79C36... fdgcxv Mn B688EE... M M 1

0

W01

DPA Average

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Anti-DPA counter-measures
Applicative counter-measures : make message free randomization impossible ! Decorrelate power curves from data
! Fix some message bytes ! Constrain the variable bytes (ex : transaction counter) ! by hardware : current scramblers (additive noise) ! by software : data whitening

Desynchronise the N traces (curves misalignment)

! software random delays ! software random orders (ex : SBoxes in random order) ! hardware wait states (dummy cycles randomly added by the CPU) ! hardware unstable internal clock (phase shift)

DPA is powerful, generic (to many algorithms) and robust (to model errors) but there are counter-measures !
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Anti-DPA counter-measures
Internal clock effects (phase shift)
Synchronized Desynchronized

1 GS/s
Attacks on Smart Cards - Copyright Gemplus Ltd 2003

DPA Summary
Very effective Target independent Can be automated Does not require expensive hardware Effective countermeasures exist Still need to get a hold of the card

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Electromagnetic Power Analysis

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Probe design
Hamming distance model for information leakage

Correlated to the number of flipping bits (CMOS, VLSI) Electrical transitions disturb EM near field (and its flow )
Captation by inductive probe

d dt (Diameter = 150 to 500 m) Difficult to calibrate (Bandwidth > 100 MHz, low voltage, parasitic effects) Good acquisition chain required, but no Faraday cage (Sampling at 1GHz)
Handmade solenoid V =

3 mm

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Electromagnetic Signals
Raw signals (TIA : transfer into accumulator instruction) Power is less noisy But EM signatures are sharper ! Power

TIA(00) & TIA(FF)

EM
Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Spatial positioning
Horizontal cartography (XY plane) to pinpoint instruction related areas better if automated
ROM

Probe
EEPROM EEPROM ROM 5.5 mm

RAM

CPU

CRYPTO 4.5 mm

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Spatial positioning
EM signals versus XY probe position
Differential traces between (00h 00h) and (FFh 00h) picked up at different locations

EM

Power Data signatures

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

DEMA against the alleged COMP128

First successful attack in Gemplus The DETECTION problem better signal to noise on DEMA curves than on DPA despite more noisy measurements !

DPA

DEMA
Attacks on Smart Cards -Copyright Gemplus Ltd 2003

SEMA against RSA

SEMA/SPA exploit larger scale patterns (single trace) Decapsulation (no statistical improvement for S/N)
2 exponentiations involving 3 bytes of the private key : FFA5FFh and 666666h (same message and modulus).

EM patterns : possible SEMA

Power (no pattern : no SPA)

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Electomagnetic Signals
Advantage of EMA versus PA Local information more data correlated EMA bypasses current smoothers EMA goes through HW countermeasures: shields, randomized logic Drawbacks Experimentally more complicated Geometrical scanning can be tedious Low level and noisy signals (decapsulation required)

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Countermeasures
Software (crypto routines) : coding techniques same as anti DPA/SPA (data whitening) Hardware (chip designers) : confine the radiation (metal layer) blur the radiation (e-g by an active emitting grid) reduce the radiation (technology trends to shrinking) cancel the radiation (dual logic)

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Fault Induction (DFA)

"Jolt" the smart card off its normal processing. Exploit any information that might be revealed Power glitches, flashes,

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Fault Attacks
Weights of coins: ! a dollar ! a cent 5 grams 3 grams

How much money a 15 gram vault contains? Trivially, one of the following: ! either 5 3 = 3 dollars ! or 5 3 = 5 cents But how to make the difference?

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Fault Attacks
Assume that the owner of the vault has the habitude of counting each evening the amount in the vault. Have him drink some Vodka so that he mistakes a cent for a dollar or the other way around. Put the vault on the balance again: ! either 5 2 + 3 = 13 grams ! or 4 3 + 5 = 17 grams You can now tell exactly what was the amount in the vault.

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

RSA using the Chinese Remainder Theorem

a and b are precumputed values, such that:

The two elements that replace d will be half the size (in bits) compared to d.

Presentation title here - Security level

RSA using the Chinese Remainder Theorem

The secret key elements are used to calculate:

These two exponentiations will be computed four times faster than the usual md (mod n). Which can be used to generate a signature:

Presentation title here - Security level

Against an RSA using the Chinese Remainder Theorum

Two exponentiations to generate a RSA signature. A fault in one exponentation will provide an incorrect result that can leak information on the secret key used.

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

If a fault occurs
If a fault occurs during the calculation of Sq then:

and the secret prime numbers can be found by

Presentation title here - Security level

Against an RSA using the Chinese Remainder Theorum

A correct signature S and an incorrect signature S can be used to derive one of the prime numbers used in RSA. A GCD between the difference and n:

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Countermeasures
Software

! Execution redundancy

! Checksums on data transfers ! Randomised Execution

repeating an algorithm executing the inverse algorithm (ideal for RSA)

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Countermeasures
Hardware

! Redundancy - hardware implemented twice with a comparison. ! Better detectors

IT

Decision
Fault Detected

Reset

Bloc 1
Data

Result1
Raction

Comparison

Result

Bloc 2

Result 2

Attacks on Smart Cards -Copyright Gemplus Ltd 2003

Outline
Smart Cards: What and Why Attacks on cards
! Physical ! Timing, spa, dpa, dfa

Attacks on systems using Smart Cards Examples

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Systems Using Smart Cards

Smart cards can not interact directly with the card holder Smart cards are used in IT systems to store users credentials for authentication, signature or ciphering Classical IT security concepts apply to these systems
! Trusted path ! Security policies ! Trojan horses

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Trusted Path: Normal PIN Verification on a PC

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Trusted Path: PIN code verification

VerifyPIN ****

Enter your PIN

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Trojan Horses: the Future

Stealing the PIN might not be interesting Placing calls on expensive numbers would What about J2ME phones?

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Summary
Bugs ! Insecure Handling of data ! Buffer Overflows Conceptions errors ! Plain text or bad protocols ! Reverse Engineering of programs Attack on the TCB ! Trojan Horses ! Viruses

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Wrong Cryptographic Design

Short keys Weak algorithms Broken protocols Examples ! French Credit Card ! COMP128 for GSM

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Conclusion
Smart cards are like any security devices: they have limitations A system should be designed with these limitations in mind A system should be upgradeable to deal with the (inevitable?) security breach or the aging of the technology The race goes on

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #01
Symptom : Merchants complain that their funddeposits are never credited to their accounts. Deposits are sealed in specific envelops at the end of each day and deposited by the merchants in the front-door mailboxes of their banks. Physical access to mailboxes is smart-card protected. Police investigation : card access control OK, mailbox OK.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #01 : what happened

The criminal has opened an account at the attacked bank; pretending he was a merchant. He consequently got a smartcard granting him access to the mailbox. He then bought a heavy metal vault, made a rectangular hole in it and came to the bank just after office hour. Using his smart-card he accessed the mailbox's man-trap, taped shut the real mailbox's hole and placed the vault on the ground, securing it with a steel chain and an impressive padlock. Finally, he added a printed text (bearing the bank's logo) : "WORK IN PROGRESS, PLEASE PLACE YOUR DEPOSITS IN THE VAULT, THANKS".

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #02
Symptom : Users insert their cards to ATMs, enter their PINs but get no money. The ATM swallows the card and displays the message "INVALID CARD CONTACT YOUR BANK", money was however withdrawn with the card later.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #02 : what happened

A false ATM...

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #03
Symptom : Same as scenario 2, using a smart-card with an EEPROM counter limited to 3. The card is always returned to the user but if its EEPROM counter contains 3 the card can not be used anymore. An audit of the ATM's log file showed that although the thief presented three false PIN codes, he could somehow try again and again. The correct PIN was found by exhaustive search after approximately 5000 attempts.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #03 : what happened

In old cards, EEPROM programming was done using an external programming voltage (Vpp) supplied through a specific ISO contact. The thief had covered this specific card contact with a paper sticker (EEPROM programming made impossible).

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #04
Symptom : The ATM's log file and cash stock do not match; money is missing. An audit of the ATM's log file showed that the same user withdrew money several times. He always forgot his banknotes that were swallowed back by the ATM after a short time-out (a security feature).

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #04 : what happened

The thief would withdraw three banknotes but take only two of them. The remaining banknote was detected by the paper sensor and swallowed back by the ATM which automatically cancelled the transaction (no debit on user's account). The paper sensor could not distinguish between one, two or three banknotes...

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #05
Symptom : Although PIN-protected, stolen smart credit cards were successfully used to withdraw money. An audit of the ATM's log file shows that the correct PIN was used in the withdrawal operation.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #05 : what happened

The fraud was technical : the smart-card's software was programmed to compare the presented PIN and if incorrect to increase the EEPROM counter. EEPROM programming is characterised by an increased power consumption and requires 5ms. The thief used a board that presented automatically all the PIN values (0000 to 9999) but detected the current consumption increase and powered off the card before the EEPROM error counter could be updated.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #06
Symptom : Users complain that the ATM has swallowed their card but when employees look into the ATM there is no card.

Attacks on Smart Cards - Copyright Gemplus Ltd 2003

Scenario #06 : what happened

A collar was put on the front of the hole, once the card was in it was impossible to get out. A thief told the victim to go in the bank to ask for the card and then get out the card and the collar and ran away. Unfortunately for us this technique was quite popular in Marseilles and was called Le collet marseillais

Attacks on Smart Cards - Copyright Gemplus Ltd 2003